| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2020-11023 |
79 |
|
Exec Code XSS |
2020-04-29 |
2021-04-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. |
|
2 |
CVE-2020-11022 |
79 |
|
Exec Code XSS |
2020-04-29 |
2021-04-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. |
|
3 |
CVE-2019-11876 |
79 |
|
XSS |
2019-05-24 |
2019-05-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
In PrestaShop 1.7.5.2, the shop_country parameter in the install/index.php installation script/component is affected by Reflected XSS. Exploitation by a malicious actor requires the user to follow the initial stages of the setup (accepting terms and conditions) before executing the malicious link. |
|
4 |
CVE-2019-11358 |
79 |
|
XSS |
2019-04-20 |
2021-03-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. |
|
5 |
CVE-2019-10909 |
79 |
|
XSS |
2019-05-16 |
2021-04-20 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle. |
|
6 |
CVE-2019-6341 |
79 |
|
XSS |
2019-03-26 |
2019-05-16 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability. |
|
7 |
CVE-2018-9861 |
79 |
|
XSS |
2018-04-19 |
2019-07-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in versions 4.5.10 through 4.9.1; fixed in 4.9.2), as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, allows remote attackers to inject arbitrary web script through a crafted IMG element. |
|
8 |
CVE-2017-6929 |
79 |
|
XSS |
2018-03-01 |
2018-03-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal core upgrade to jQuery 3. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module. |
|
9 |
CVE-2017-6927 |
79 |
|
XSS |
2018-03-01 |
2018-03-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML (as JavaScript output does not typically go through Twig autoescaping). This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances. The PHP functions which Drupal provides for HTML escaping are not affected. |
|
10 |
CVE-2016-7571 |
79 |
|
XSS |
2016-10-03 |
2016-10-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Drupal 8.x before 8.1.10 allows remote attackers to inject arbitrary web script or HTML via vectors involving an HTTP exception. |
|
11 |
CVE-2015-6665 |
79 |
|
XSS |
2015-08-24 |
2016-12-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Ajax handler in Drupal 7.x before 7.39 and the Ctools module 6.x-1.x before 6.x-1.14 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors involving a whitelisted HTML element, possibly related to the "a" tag. |
|
12 |
CVE-2015-6658 |
79 |
|
XSS |
2015-08-24 |
2016-12-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Autocomplete system in Drupal 6.x before 6.37 and 7.x before 7.39 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, related to uploading files. |
|
13 |
CVE-2014-8765 |
79 |
|
XSS |
2014-10-14 |
2014-10-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the Project Issue File Review module (PIFR) module 6.x-2.x before 6.x-2.17 for Drupal allow (1) remote attackers to inject arbitrary web script or HTML via a crafted patch, which triggers a PIFR client to test the patch and return the results to the PIFR_Server test results page or (2) remote authenticated users with the "manage PIFR environments" permission to inject arbitrary web script or HTML via vectors involving a PIFR_Server administrative page. |
|
14 |
CVE-2014-8748 |
79 |
|
XSS |
2014-10-13 |
2014-10-16 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Google Doubleclick for Publishers (DFP) module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the "administer dfp" permission to inject arbitrary web script or HTML via a slot name. |
|
15 |
CVE-2014-8747 |
79 |
|
XSS |
2014-10-13 |
2017-09-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Drupal Commons module 7.x-3.x before 7.x-3.9 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors related to content creation and activity stream messages. |
|
16 |
CVE-2014-8746 |
79 |
|
XSS |
2014-10-13 |
2017-09-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Skeleton theme 7.x-1.2 through 7.x-1.3 before 7.x-1.4, for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to theme settings. |
|
17 |
CVE-2014-8745 |
79 |
|
XSS |
2014-10-13 |
2017-09-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Custom Search module 6.x-1.x before 6.x-1.13 and 7.x-1.x before 7.x-1.15 for Drupal allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via a taxonomy vocabulary label. |
|
18 |
CVE-2014-8744 |
79 |
|
XSS |
2014-10-13 |
2017-09-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Nivo Slider module 7.x-2.x before 7.x-1.11 for Drupal allows remote authenticated users with the "administer nivo slider" permission to inject arbitrary web script or HTML via an image title. |
|
19 |
CVE-2014-8743 |
79 |
|
XSS |
2014-10-13 |
2017-09-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the Maestro module 7.x-1.x before 7.x-1.4 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via a (1) Role or (2) Organic Group name. |
|
20 |
CVE-2014-8296 |
79 |
|
XSS |
2014-10-16 |
2017-09-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Modal Frame API module 6.x-1.x before 6.x-1.9 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
21 |
CVE-2014-8079 |
79 |
|
XSS |
2014-10-09 |
2017-09-08 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the MAYO theme 7.x-1.x before 7.x-1.3 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to header background setting. |
|
22 |
CVE-2014-8078 |
79 |
|
XSS |
2014-10-09 |
2017-09-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Print (aka Printer, e-mail and PDF versions) module 6.x-1.x before 6.x-1.19, 7.x-1.x before 7.x-1.3, and 7.x-2.x before 7.x-2.0 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to nodes. |
|
23 |
CVE-2014-8077 |
79 |
|
XSS |
2014-10-09 |
2017-09-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the NewsFlash theme 6.x-1.x before 6.x-1.7 and 7.x-1.x before 7.x-2.5 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to font family CSS property. |
|
24 |
CVE-2014-8076 |
79 |
|
XSS |
2014-10-09 |
2017-09-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Professional theme 7.x before 7.x-2.04 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to custom copyright information. |
|
25 |
CVE-2014-8075 |
79 |
|
XSS |
2014-10-09 |
2017-09-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Tribune module 6.x-1.x and 7.x-3.x for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a node title. |
|
26 |
CVE-2014-7980 |
79 |
|
XSS |
2014-10-08 |
2014-10-09 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in template.php in Zen theme 7.x-3.x before 7.x-3.3 and 7.x-5.x before 7.x-5.5 for Drupal allow remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via the skip_link_text setting and unspecified other theme settings. |
|
27 |
CVE-2014-7979 |
79 |
|
XSS |
2014-10-08 |
2017-09-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the SimpleCorp theme 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to theme settings. |
|
28 |
CVE-2014-7978 |
79 |
|
XSS |
2014-10-08 |
2017-09-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the BlueMasters theme 7.x-2.x before 7.x-2.1 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to theme settings. |
|
29 |
CVE-2014-7870 |
79 |
|
XSS |
2014-10-06 |
2014-10-07 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Custom Search module 6.x-1.x before 6.x-1.12 and 7.x-1.x before 7.x-1.14 for Drupal allows remote authenticated users with the "administer custom search" permission to inject arbitrary web script or HTML via the "Label text" field to admin/config/search/custom_search/results. |
|
30 |
CVE-2014-7869 |
79 |
|
XSS |
2014-10-06 |
2014-10-07 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the configuration UI in the Context Form Alteration module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the "administer contexts" permission to inject arbitrary web script or HTML via unspecified vectors. |
|
31 |
CVE-2014-5022 |
79 |
|
XSS |
2014-07-22 |
2014-07-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Ajax system in Drupal 7.x before 7.29 allows remote attackers to inject arbitrary web script or HTML via vectors involving forms with an Ajax-enabled textfield and a file field. |
|
32 |
CVE-2014-5021 |
79 |
|
XSS |
2014-07-22 |
2014-07-22 |
2.1 |
None |
Remote |
High |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via an option group label. |
|
33 |
CVE-2014-1607 |
79 |
|
XSS |
2014-01-26 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
** DISPUTED ** Cross-site scripting (XSS) vulnerability in the EventCalendar module for Drupal 7.14 allows remote attackers to inject arbitrary web script or HTML via the year parameter to eventcalander/. NOTE: this issue has been disputed by the Drupal Security Team; it may be site-specific. If so, then this CVE will be REJECTed in the future. |
|
34 |
CVE-2013-6388 |
79 |
|
XSS |
2013-12-24 |
2014-01-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Color module in Drupal 7.x before 7.24 allows remote attackers to inject arbitrary web script or HTML via vectors related to CSS. |
|
35 |
CVE-2013-6387 |
79 |
|
XSS |
2013-12-24 |
2014-01-04 |
2.1 |
None |
Remote |
High |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Image module in Drupal 7.x before 7.24 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the description field. |
|
36 |
CVE-2013-0244 |
79 |
|
XSS |
2014-01-19 |
2014-03-08 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Drupal 6.x before 6.28 and 7.x before 7.19, when running with older versions of jQuery that are vulnerable to CVE-2011-4969, allows remote attackers to inject arbitrary web script or HTML via vectors involving unspecified Javascript functions that are used to select DOM elements. |
|
37 |
CVE-2012-2078 |
79 |
|
XSS |
2019-11-21 |
2019-12-11 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Activity module 6.x-1.x for Drupal. |
|
38 |
CVE-2012-1646 |
79 |
|
XSS |
2012-09-25 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the FAQ module 6.x-1.x before 6.x-1.13 and 7.x-1.x-rc1 for Drupal allow remote authenticated users to inject arbitrary web script or HTML via the (1) title parameter in faq.admin.inc or (2) detailed_question parameter in faq.module. |
|
39 |
CVE-2012-1637 |
79 |
|
XSS |
2019-11-21 |
2019-12-11 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting vulnerability (XSS) in the Quick Tabs module 6.x-2.x before 6.x-2.1, 6.x-3.x before 6.x-3.1, and 7.x-3.x before 7.x-3.3 for Drupal. |
|
40 |
CVE-2011-3373 |
79 |
|
XSS |
2019-11-25 |
2019-12-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Drupal Views Builk Operations (VBO) module 6.x-1.0 through 6.x-1.10 does not properly escape the vocabulary help when the vocabulary has had user tagging enabled and the "Modify node taxonomy terms" action is used. A remote attacker could provide a specially-crafted URL that could lead to cross-site scripting (XSS) attack. |
|
41 |
CVE-2011-2714 |
79 |
|
XSS |
2020-01-14 |
2020-01-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
A Cross-Site Scripting vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table descriptions, field names, or labels before display. |
|
42 |
CVE-2010-3094 |
79 |
|
XSS |
2010-09-21 |
2010-09-22 |
2.1 |
None |
Remote |
High |
??? |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.18 allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via (1) an action description, (2) an action message, (3) a node, or (4) a taxonomy term, related to the actions feature and the trigger module. |
|
43 |
CVE-2010-3022 |
79 |
|
XSS |
2010-08-16 |
2017-08-17 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Performance logging module in the Devel module 5.x before 5.x-1.3 and 6.x before 6.x-1.21 for Drupal allows remote authenticated users, with add url aliases and report access permissions, to inject arbitrary web script or HTML via crafted node paths in a URL. |
|
44 |
CVE-2010-2472 |
79 |
|
XSS |
2019-11-07 |
2019-11-13 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Locale module and dependent contributed modules in Drupal 6.x before 6.16 and 5.x before version 5.22 do not sanitize the display of language codes, native and English language names properly which could allow an attacker to perform a cross-site scripting (XSS) attack. This vulnerability is mitigated by the fact that an attacker must have a role with the 'administer languages' permission. |
|
45 |
CVE-2010-2250 |
79 |
|
XSS |
2019-11-07 |
2021-04-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Drupal 5.x and 6.x before 6.16 uses a user-supplied value in output during site installation which could allow an attacker to craft a URL and perform a cross-site scripting attack. |
|
46 |
CVE-2009-4371 |
79 |
|
XSS |
2009-12-21 |
2017-08-17 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Locale module (modules/locale/locale.module) in Drupal Core 6.14, and possibly other versions including 6.15, allows remote authenticated users with "administer languages" permissions to inject arbitrary web script or HTML via the (1) Language name in English or (2) Native language name fields in the Custom language form. |
|
47 |
CVE-2009-4370 |
79 |
|
XSS |
2009-12-21 |
2017-08-17 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Menu module (modules/menu/menu.admin.inc) in Drupal Core 6.x before 6.15 allows remote authenticated users with permissions to create new menus to inject arbitrary web script or HTML via a menu description, which is not properly handled in the menu administration overview. |
|
48 |
CVE-2009-4369 |
79 |
|
XSS |
2009-12-21 |
2017-08-17 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Contact module (modules/contact/contact.admin.inc or modules/contact/contact.module) in Drupal Core 5.x before 5.21 and 6.x before 6.15 allows remote authenticated users with "administer site-wide contact form" permissions to inject arbitrary web script or HTML via the contact category name. |
|
49 |
CVE-2009-2373 |
79 |
|
XSS |
2009-07-08 |
2009-07-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Forum module in Drupal 6.x before 6.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
50 |
CVE-2009-1942 |
79 |
|
XSS |
2009-06-05 |
2009-06-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Quiz module 5.x, 6.x-2.x before 6.x-2.2, and 6.x-3.x before 6.x-3.0, a module for Drupal, allows remote authenticated users, with create quizzes or quiz questions access, to inject arbitrary web script or HTML via unspecified vectors. |
